"Daniel J Walsh wrote:"
On 12/03/2009 12:33 AM, David Highley wrote:
I'm trying to get sshdfilter a Perl wrapper around sshd to work in Fedora 12. The script needs to be able to call iptables to drop in new rejection rules detected hacking connections. I used "semanage fcontext -a -t sshd_exec_t" which gave it the same context as sshd. I have not been able to change the unconfined_u to system_u: lz -Z /usr/sbin/sshdfilter unconfined_u:object_r:sshd_exec_t:s0
I was getting avc errors so I created an allow policy: module mysshdfilter 1.0;
require { type iptables_exec_t; type iptables_t; type sshd_t; class file execute; class fifo_file read; }
#============= iptables_t ============== allow iptables_t self:fifo_file read;
#============= sshd_t ============== allow sshd_t iptables_exec_t:file execute;
Now I'm getting: time->Wed Dec 2 21:07:04 2009 type=USER_ROLE_CHANGE msg=audit(1259816824.474:201): user pid=3664 uid=0 auid=0 ses=12 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=?: exe= "/usr/sbin/sshd" hostname=? addr=? terminal=? res=failed'
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You probably want
iptables_domtrans(sshd_t)
I tried adding this statement to the file, but checkmodule gave syntax error. I tried searching through the selinux files but did not find an example of how to use the above statement.
The ROLE_CHANGE is not an SELinux error, it is just an audit message.
I will add the fifo_file rule to iptables policy
Fixed in selinux-policy-3.6.32-54.fc12
If you want to get real crazy you could write policy for /usr/sbin/sshdfilter
policy_module(sshdfilter, 1.0)
ssh_server_template(sshdfilter) iptables_domtrans(sshdfilter_t)